Cisco ASA 5500-X Series Next-Generation Firewalls

Release Notes for the Cisco ASA Series, 9.3(x)

  • Viewing Options

  • PDF (1.1 MB)
  • EPUB (123.7 KB)
  • MOBI (163.4 KB)
  • Feedback

Table of Contents

Release Notes for the Cisco ASA Series, Version 9.3(x)

Important Notes

System Requirements

New Features

Upgrading the Software

Open and Resolved Bugs

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for the Cisco ASA Series, Version 9.3(x)

First Published: July 24, 2014

Last Updated: April 22, 2015

This document contains release information for Cisco ASA software Version 9.3(x).

Important Notes

  • The ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the ASA 5505.
  • Windows NT AAA server was deprecated—In ASA Version 9.3, the Windows NT AAA server is no longer supported.
  • (9.3(2) and later) SSLv3 deprecation and SSL server version default change—SSLv3 is now deprecated. The default for the ssl server-version command is now tlsv1 instead of any. If you configure any, sslv3, or sslv3-only, the command is accepted with a warning. In the next major ASA release, these keywords will be removed from the ASA.
  • ASA CX module upgrade requirements—For ASA Version 9.3(2) and later, only ASA CX Version and later is supported. When upgrading your ASA, first upgrade the ASA CX software; otherwise the ASA CX module will become unresponsive.

System Requirements

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.

New Features

Note: New, changed, and deprecated syslog messages are listed in the syslog message guide.

New Features in Version 9.3(3)

Released: April 22, 2015

The following table lists the new features for ASA 9.3(3).


Table 1 New Features for ASA Version 9.3(3)



Platform Features

Show invalid usernames in syslog messages

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

This feature is not available in 9.4(1).

New Features in Version 9.3(2.200)

Released: December 18, 2014

The following table lists the new features for ASA Version 9.3(2.200).

This release supports only the ASAv.


Table 2 New Features for ASA Version 9.3(2.200)



Platform Features

ASAv with KVM and Virtio

You can deploy the ASAv using the Kernel-based Virtual Machine (KVM) and the Virtio virtual interface driver.

New Features in Version 9.3(2)

Released: December 18, 2014

The following table lists the new features for ASA Version 9.3(2).


Table 3 New Features for ASA Version 9.3(2)



Platform Features

ASA 5506-X

We introduced the ASA 5506-X.

We introduced or modified the following commands: service sw-reset-button, upgrade rommon, show environment temperature accelerator

ASA FirePOWER software module for the ASA 5506-X

You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a separate FireSIGHT Management Center is not required, although you can use one instead of ASDM. Note: This feature requires ASA 7.3(3).


Mixed level SSPs in the ASA 5585-X

You can now use the following mixed level SSPs in the ASA 5585-X:


Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1


A REST API was added to support configuring and managing major functions of the ASA.

We introduced or modified the following commands: rest-api image, rest-api agent, show rest-api agent, debug rest-api, show version

Support for ASA image signing and verification

ASA images are now signed using a digital signature. The digital signature is verified after the ASA is booted.

We introduced the following commands: copy /noverify, verify /image-signature, show software authenticity keys, show software authenticity file, show software authenticity running, show software authenticity development, software authenticity development, software authenticity key add special, software authenticity key revoke special

Accelerated security path load balancing

The accelerated security path (ASP) load balancing mechanism reduces packet drop and improves throughput by allowing multiple cores of the CPU to receive packets from an interface receive ring and work on them independently.

We introduced the following command: asp load-balance per-packet-auto


Firewall Features

Configuration session for editing ACLs and objects.

Forward referencing of objects and ACLs in access rules.

You can now edit ACLs and objects in an isolated configuration session. You can also forward reference objects and ACLs, that is, configure rules and access groups for objects or ACLs that do not yet exist.

We introduced the following commands: clear configuration session, clear session, configure session, forward-reference, show configuration session

SIP support for Trust Verification Services, NAT66, CUCM 10.5, and model 8831 phones.

You can now configure Trust Verification Services servers in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5.

We introduced the following command: trust-verification-server.


Unified Communications support for CUCM 10.5

SIP and SCCP inspections were tested and verified with Cisco Unified Communications Manager 10.5.

Remote Access Features

Browser support for Citrix VDI

We now support an HTML 5-based browser solution for accessing the Citrix VDI, without requiring the Citrix Receiver client on the desktop.

Clientless SSL VPN for Mac OSX 10.9

We now support Clientless SSL VPN features such as the rewriter, smart tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.

Interoperability with standards-based, third-party, IKEv2 remote access clients

We now support VPN connectivity via standards-based, third-party, IKEv2 remote-access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).

We introduced or modified the following commands: ikev2 remote-authentication, ikev2 local-authentication, clear vpn-sessiondb, show vpn-sessiondb, vpn-sessiondb logoff


Transport Layer Security (TLS) version 1.2 support

We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN.

We introduced or modified the following commands: ssl client-version, ssl server-version, ssl cipher, ssl trust-point, ssl dh-group, show ssl, show ssl cipher, show vpn-sessiondb

We deprecated the following command: ssl encryption


AnyConnect 4.0 support for TLS version 1.2

AnyConnect 4.0 now supports TLS version 1.2 with the following four additional cipher suites: DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.

Licensing Features

Cisco Smart Software Licensing for the ASAv

Smart Software Licensing lets you purchase and manage a pool of licenses. Unlike PAK licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.

We introduced the following commands: clear configure license, debug license agent, feature tier, http-proxy, license smart, license smart deregister, license smart register, license smart renew, show license, show running-config license, throughput level


High Availability Features

Lock configuration changes on the standby unit or standby context in a failover pair

You can now lock configuration changes on the standby unit (Active/Standby failover) or the standby context (Active/Active failover) so you cannot make changes on the standby unit outside normal configuration syncing.

We introduced the following command: failover standby config-lock


ASA clustering inter-site deployment in transparent mode with the ASA cluster firewalling between inside networks

You can now deploy a cluster in transparent mode between inside networks and the gateway router at each site (AKA East-West insertion), and extend the inside VLANs between sites. We recommend using Overlay Transport Virtualization (OTV), but you can use any method that ensures that the overlapping MAC Addresses and IP addresses of the gateway router do not leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as HSRP to provide the same virtual MAC and IP addresses to the gateway routers.

Interface Features

Traffic Zones

You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.

Note You cannot apply a security policy to a named zone; the security policy is interface-based. When interfaces in a zone are configured with the same access rule, NAT, and service policy, then load-balancing and asymmetric routing operate correctly.

We introduced or modified the following commands: zone, zone-member, show running-config zone, clear configure zone, show zone, show asp table zone, show nameif zone, show conn long, show local-host zone, show route zone, show asp table routing, clear conn zone, clear local-host zone


Routing Features

BGP support for IPv6

We added support for IPv6.

We introduced or modified the following commands: address-family ipv6, bgp router-id, ipv6 prefix-list, ipv6 prefix-list description, ipv6 prefix-list sequence-number, match ipv6 next-hop, match ipv6 route-source, match ipv6- address prefix-list, set ipv6-address prefix -list, set ipv6 next-hop, set ipv6 next-hop peer-address


Monitoring Features

SNMP MIBs and traps

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASA 5506-X.

The ASA 5506-X have been added as new products to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The ASA now supports the CISCO-CONFIG-MAN-MIB, which enables you to do the following:

  • Know which commands have been entered for a specific configuration.
  • Notify the NMS when a change has occurred in the running configuration.
  • Track the time stamps associated with the last time that the running configuration was changed or saved.
  • Track other changes to commands, such as terminal details and command sources.

We modified the following command: snmp-server enable traps


Showing route summary information for troubleshooting

The show route-summary command output has been added to the show tech-support detail command.

Management Features

System backup and restore

We now support complete system backup and restoration using the CLI.

We introduced the following commands: backup, restore

New Features in Version 9.3(1)

Released: July 24, 2014

The following table lists the new features for ASA Version 9.3(1).

The ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the ASA 5505.


Table 4 New Features for ASA Version 9.3(1)



Firewall Features

SIP, SCCP, and TLS Proxy support for IPv6

You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using SIP or SCCP).

We did not modify any commands.

Support for Cisco Unified Communications Manager 8.6

The ASA now interoperates with Cisco Unified Communications Manager Version 8.6 (including SCCPv21 support).

We did not modify any commands.

Transactional Commit Model on rule engine for access groups and NAT

When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We introduced the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit


Remote Access Features

XenDesktop 7 Support for clientless SSL VPN

We added support for XenDesktop 7 to clientless SSL VPN. When creating a bookmark with auto sign-on, you can now specify a landing page URL or a Control ID.

We did not modify any commands.


AnyConnect Custom Attribute Enhancements

Custom attributes define and configure AnyConnect features that have not been incorporated into the ASA, such as Deferred Upgrade. Custom attribute configuration has been enhanced to allow multiple values and longer values, and now requires a specification of their type, name and value. They can now be added to Dynamic Access Policies as well as Group Policies. Previously defined custom attributes will be updated to this enhanced configuration format upon upgrade to 9.3.x.

We introduced or modified the following commands: anyconnect-custom-attr, anyconnect-custom-data, and anyconnect-custom


AnyConnect Identity Extensions (ACIDex) for Desktop Platforms

ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is the method used by the AnyConnect VPN client to communicate posture information to the ASA. Dynamic Access Polices use these endpoint attributes to authorize users.

The AnyConnect VPN client now provides Platform identification for the desktop operating systems (Windows, Mac OS X, and Linux) and a pool of MAC Addresses which can be used by DAPs.

We did not modify any commands.


TrustSec SGT Assignment for VPN

TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on the ASA when a remote user connects.

We introduced the following new command: security-group-tag value


High Availability Features

Improved support for monitoring module health in clustering

We added improved support for monitoring module health in clustering.

We modified the following command: show cluster info health

Disable health monitoring of a hardware module

By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: monitor-interface service-module


Platform Features

ASP Load Balancing

The new auto option in the asp load-balance per-packet command enables the ASA to adaptively switch ASP load balancing per-packet on and off on each interface receive ring. This automatic mechanism detects whether or not asymmetric traffic has been introduced and helps avoid the following issues:

  • Overruns caused by sporadic traffic spikes on flows
  • Overruns caused by bulk flows oversubscribing specific interface receive rings
  • Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load

We introduced or modified the following commands: asp load-balance per-packet auto, show asp load-balance per-packet, show asp load-balance per-packet history, and clear asp load-balance history



Interface Features

Transparent mode bridge group maximum increased to 250

The bridge group maximum was increased from 8 to 250 bridge groups. You can configure up to 250 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.

We modified the following commands: interface bvi, bridge-group


Routing Features

BGP support for ASA clustering

We added support for BGP with ASA clustering.

We introduced the following new command: bgp router-id clusterpool


BGP support for nonstop forwarding

We added support for BGP Nonstop Forwarding.

We introduced the following new commands: bgp graceful-restart, neighbor ha-mode graceful-restart


BGP support for advertised maps

We added support for BGPv4 advertised map.

We introduced the following new command: neighbor advertise-map


OSPF Support for Non-Stop Forwarding (NSF)

OSPFv2 and OSPFv3 support for NSF was added.

We added the following commands: capability, nsf cisco, nsf cisco helper, nsf ietf, nsf ietf helper, nsf ietf helper strict-lsa-checking, graceful-restart, graceful-restart helper, graceful-restart helper strict-lsa-checking


AAA Features

Layer 2 Security Group Tag Imposition

You can now use security group tagging combined with Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet frames.

We introduced or modified the following commands: cts manual, policy static sgt, propagate sgt, cts role-based sgt-map, show cts sgt-map, packet-tracer, capture, show capture, show asp drop, show asp table classify, show running-config all, clear configure all, and write memory


Removal of AAA Windows NT domain authentication

We removed NTLM support for remote access VPN users.

We deprecated the following command: aaa-server protocol nt


Monitoring Features

Monitoring Aggregated Traffic for Physical Interfaces

The show traffic command output has been updated to include aggregated traffic for physical interfaces information. To enable this feature, you must first enter the sysopt traffic detailed-statistics command.

Upgrading the Software

See the following table for the upgrade path for your version. Some versions require an interim upgrade before you can upgrade to the latest version.

Note: There are no special requirements for Zero Downtime Upgrades for failover and ASA clustering with the following exception. Upgrading ASA clustering from 9.0(1) or 9.1(1): due to CSCue72961, hitless upgrading is not supported.


Current ASA Version

First Upgrade to:

Then Upgrade to:

8.2(x) and earlier
9.3(1) or later
9.3(1) or later
8.4(1) through 8.4(4)
8.4(6), 9.0(4), or 9.1(2)
9.3(1) or later
8.4(5) and later
9.3(1) or later
9.0(4) or 9.1(2)
9.3(1) or later
9.0(4) or 9.1(2)
9.3(1) or later
9.0(4) or 9.1(2)
9.3(1) or later
9.0(2) or later
9.3(1) or later
9.3(1) or later
9.1(2) or later
9.3(1) or later
9.3(1) or later

For detailed steps about upgrading, see the 9.3 upgrade guide.

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.

Note: You must have a account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs

Open Bugs in 9.3(3)

All open bugs severity 3 and higher for Version 9.3(3) are included in this search:

You can also perform other searches as desired.

For example, to find bugs that were added between 9.3(2) and 9.3(3), you can search for:

  • Product > Series/Model Cisco ASA 5500-X Series Next-Generation Firewalls
  • Releases > Affecting these releases 9.3(2., and 9.3(3)

The “9.3(2.” search finds all 9.3(2.x) interim releases and builds. “9.3(3)”includes any new bugs found on the released 9.3(3) version.

  • Filter > Status Open
  • (Optional) Filter > Severity 3 or higher


Open Bugs in 9.3(2.200) and Earlier

The following table contains open bugs in 9.3(2.200) and earlier.


Table 5 Open Bugs in ASA Version 9.3(2.200) and Earlier



L2 Clustering:OSPFv2, Eigrp and OSPFv3 RIB not replicated to slave node
ASA SFR: memory corruption following a sys install
WEBVPN: DWA_8_5 can not be accessed in FF15 via Kenton
ASA Mgmt Session stuck on running "sh block exhaustion snapshot/history"
On deleting access-list attached to route-map,ASA is not throwing ERROR
ASA sporadic crypto errors with SSL VPN using TLS1.x DHE ciphers
5506-5508: "show file info lfbff-k8.SPA" missing version and wrong size
ACL Hash calculated using object NAME and not object value
ASA traceback in Thread Name: ci/console, assertion "snp_sp_action.c"
ASA5506: Packet-tracer shows output interface as "NP Identity Ifc
ASA low DMA memory on low end ASA-X -5512/5515 devices
ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC IKEv2
ASA: 'no monitor-interface service-module' command gone after reload.
ASA 9.3.1 meaningful log message for "DAP: Processing error: Code 2991"
ASA: speed slow down after creating multiple ACL entries via REST POST
show traffic protocol statistics shows huge counter value
"sysopt traffic detailed-statistics" not visible in "show run"
CI-STS: ASA-6-305010 syslog is not generated after clear nat
ASA teardown connection after receiving same direction fins
ASA: traceback may occur in DATAPATH-0-1339 with ASDM ACL config

Resolved Bugs

Resolved Bugs in 9.3(3)

All resolved bugs for Version 9.3(3) are included in this search:

Resolved Bugs in 9.3(2.200)

There were no resolved bugs in Version 9.3(2.200).

Resolved Bugs in 9.3(2)

The following table contains resolved bugs in ASA Version 9.3(2).


Table 6 Resolved Bugs in ASA Version 9.3(2)



Syslog 106100 not generated on second context when cascading contexts.
vpn-sessiondb detail missing Filter Name after IKEv1 rekey
ASA: Crash when out of stack memory with call-home configured
Arsenal:twice NAT with service type ftp not working.
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode
ASA: Last packet in PCAP capture file not readable
Idle timer and half-closed idle timer reset by out of sequence SYN
ASA 8.4.6 MAC Address flapping with Port-Channels and IPv6
SSH timeout on ASA
ASA5585-SSP60 Traceback in Thread Name SSH on Capture Command
ASA may traceback when "write standby" command is entered twice
ASA stops decrypting certain L2L traffic after working for some time
ASA does not recognise "packet too big" for assembled ICMPv6 echo reply
ASA WebVPN Memory leak leading to Blank Portal Page/AnyConnect failure
ENH: Add "speed nonegotiate" command for fiber interfaces on ASA5585
object nat config getting deleted after reloaded with vpdn config
Traceback DHCP 'IP Address Assign' while upgrading ASAs in Failover
ASA allows IKEv1 clients to bypass address assignment, causing conflict
CWS: Large downloads on HTTPS fail when server side seq number wraps
ASA WebVPN Rewriter: Custom HTTP Headers Not Properly Rewritten
Traceback in Thread Name: ssh_init
ASA tmatch_summary_alloc block leak in binsize 1024
webvpn jscript post to wrong URL - ASA FQDN same as server FQDN
ASA Traceback in Thread name: ci/console while modifying an object-group
"no speed nonegotiate" command in ASA 5580 running 9.1.5 in show run
ASA - Traceback in DATAPATH-0-1275
ASA: Traceback Page Fault in vpnfol_thread_msg on Standby ASA
ASA: BGP not performing outbound route-filtering
No syslogs for ASDM or clientless access with blank username/password
Personal bookmarks get deleted with ASA in Active/Standby failover
ASA SSLVPN Citrix Java client error - java.lang.ClassNotFoundException
WebVPN: uploading customized portal.css breaks the portal login page
ASA crashes with Page Fault with multiple configuration sessions
ASA failover standby device reboots due to delays in config replication
ASA rewrites incorrect content-length in SIP message
ASA Smart Call does not hide IPv6 addresses for ND
IPv4 ACLs not working after merging IPv4 and IPv6 ACLs by upgrading
ASA : Failover descriptor does not change after reconfiguring VLAN
accounting not per rfc in dual factor auth case
SNMP: Power supply OIDs missing if no power input on 5500-X
ASA providing inaccurate Tunnel count to ASDM
IPsecOverNatT tunnel disappears after ASA failovers
Smart Tunnels Spawn "UNKNOWN Publisher" Warning w/Java 7 Update 60
Using "?" to list files in directory with thousands of files causing hog
Show memory app-cache command shows incorrect bytes if more than 2^32
vbscript getting caught in loop when passing thru ASA WebVPN Rewriter
Using ASA 9.2.1, Anyconnect weblaunch fails with URL-list in DAP
Traceback when executing "show crypto accelerator load-balance"
Local pool address not released -> Duplicate local pool address found
traceback in thread name: netfs_thread_init
WebVPN HTML Style "Overflow:Hidden" Breaks Custom Logon Pages
ASA - Traceback in thread name SSH while changing NAT configuration
ASDM Certificate validation failure
Cisco ASA VPN Failover Commands Injection Vulnerability
WebVPN: Rewriter issue with PATHIX Inspection Database
Cisco ASA SSL VPN Info Disclosure and DoS Vulnerability
ASA as DHCP relay, DHCP offer is not forwarded to the client
ASA: Increased processor temperature after upgrade
Webvpn: Support for XFRAME in additional portal and CSD pages
PPPoE with static IP address deny packets after reload ASA
Traceback caused by WCCP
Cisco ASA Failover IPSEC does not encrypt failover link
ASA : timeout floating-conn not working when PPPoE is configured
ASA 9.2 : Static Null route not redistributed over EIGRP to neighbors
ASA Radius Access-Request contains both User-Password and CHAP-Password
ASA: EIGRP neighbor relationship flapping
Traceback in Thread Name qos_metric_daemon caused by asdm history enable
Cisco ASA VNMC Input Validation Vulnerability
IPv6 tunneled route on link-local interfaces
ASA: CLI commands are not displaying options for local authorization
LDAP CLI: Quotes removed if ldap attribute-map name has spaces
DMA memory leak in 256 byte fragments with nbns-server config
ASA not sending RST packet for connections dropped by Botnet filter
ASA can use wrong trustpoint with rekeyed CAs are cfg in trustpoints.
ASA not sending PIM register message to RP
with Anyconnect deflate compression ASA gives ASA-3-722021 syslog
ASA returns wrong content-length for cut-thru proxy authentication page
ASA tracebacks in Thread Name: ssh due to watchdog
Incorrect content-length when maddr present with URI in SIP message body
IPv6 stateless autoconfiguration fails if managed config flag in RA
ASA L2TP Split-Tunnel DHCPC: DHCP daemon got msg for uninitialized
ASA: standby traceback during replication of specific privilege command
ASA Local CA generates unexpected renewal reminder message
Cisco ASA Software Version Information Disclosure Vulnerability
Traceback in clacp_enforce_load_balance with ASA Clustering
ASA Cluster slave unit loses default route due to sla monitor
Cisco ASA SSL VPN Memory Blocks Exhaustion Vulnerability
ASA - 80 Byte memory block depletion
ASA traceback in DATAPATH-0-2078 thread
ASA:Page fault traceback ACL FQDN Object-group
ASA Cluster: IDFW traceback inThread Name: DATAPATH-3-132
1550 block leak occur if DNS replies "refused" query response
Inspect rule defaults in standby transparent context on write standby
ASA5580 speed nonegotiate settings kept link down after shut/no shut
User membership not updated in parent group
ASA: RST packet forwarded with non-zero ACK number (and ACK flag clear)
There are two certificates related to one trustpoint on standby unit.
Object Group Search causing legitimate traffic to be dropped by ACL
Traceback on ASA when Attempting to Join Cluster with Low Memory
ASA ACL hitcount not correct for ACLs with service object groups
Traceback on standby ASA during hitless upgrade
DHCP Relay reloads after changing server interface
SDI authentication doesn't work in more than one contexts.
nested custom write functions causing blank page through rewriter
Control Plane ACL Not Working for Redirected HTTP Traffic
ASA assert traceback on Standby Unit in c_idfw.c
Traceback: pki-crl: Thread Name: Crypto CA with traffic through VPN L2L
ASA Client login timeout issue due to proxy match inconsistency
EIGRP tag incorrectly send by ASA
ASA DSCP marking applies to all SSL traffic
Failed to allocate global ID when adding service-policy
traceback @ hash_table_simple.c:192
ASA Crash in vpnfol_thread_msg thread
Webvpn: Support for XFRAME for non-critical URL's
ASA accounting request does not contain radius-class(25) attribute
RSH inspect conn not replicated to standby with cut_thru missing punt
ASA SCP Client does not prompt for password when not inc. in copy string
DATAPATH Traceback in snp_mp_svc_udp_upstream_data function
ASA Traceback in Thread Name: DATAPATH-6-2544
ASA Traceback in Thread Name: DATAPATH-3-1274
Resolved Bugs in 9.3(1)

The following table contains resolved bugs in ASA Version 9.3(1).


Table 7 Resolved Bugs in ASA Version 9.3(1)



ENH - Add device serial number and platform string to show run output
Allow user to exclude the status of the SSM or SSP from failover checks
'LU allocate xlate failed' syslog should include more data
Double auth not triggered if using secondary-aaa-server per interface
Cisco ASA Webtype ACL By-Pass Vulnerability
ACL renamed but syslog doesn't reflect new name
ENH - show traffic should include packet size distribution and flow info
block and chunk data needs to be included at beginning of crashinfo
show blocks exhaustion snapshot only takes single snapshot
Implement a syslog to indicate the version of the anyConnect client
ENH: ASA drops ICMP Error Reply for uni-directional SCTP Traffic
DHCP Relay needs to handle DHCPREQUEST differently
Easy VPN Remote not re-establishing nem-st-autoconnect setting changed
ASA SSLVPN/DTLS: Copy inner packet TOS field to outer header
A warning message is needed when a new encryption license is applied
Asa 5580-20: object-group-search access-control causes failover problem
ASA transparent mode should support 'inspect icmp error'
AC Script/customi:no 'linux-64' option(maybe it should be 'freeform'?)
ASA5500-x: "speed nonegotiate" command not available for fiber interface
Slow throughput of AnyConnect client w/DTLS compared to IPSec IKEv1
ASA: Huge NAT config causes traceback due to unbalanced p3 tree
DNS: Inspection drops non PTR queries
Need Syslog containing assigned IP address for AnyConnect IKEv2
ENH: Citrix Receiver proxy on ASA support for backend Storefront server
ICMP destination unreachable for L2TP PMTU error not sent to server
SVC_UDP Module is in flow control with a SINGLE DTLS tunnel
Dropped packets/Retries/Timeout on applying a huge ACL on existing acl
AC 3.1:ASA incorrectly handles alternate DTLS port,causes reconnect
ASA 9.1.2 DHCP - Wireless Apple devices are not getting an IP via DHCPD
ENH - SCP Support on the ASA
ASA 9.1: timer app id was corrupted causing to Dispatch Unit traceback
ACL Migration to 8.3+ Software Unnecessarily Expands Object Groups
ASA may reload with traceback in Thread Name: vpnfol_thread_msg
ASA traceback in Thread Name: fover_parse during command replication
ASA 9.1.2 - Traceback in Thread Name: fover_parse during configuration
%ASA-6-113005 should contain IP that initiated failed auth attempt
WebVPN portal page misses large title after portal redesign
ENH - ASA and AAA Operations
ASA OSPF route stuck in database and routing table
ASA: Page fault traceback with 'show dynamic-filter dns-snoop detail'
ASA SMR: Multicast traffic for some groups stops flowing after failover
ASA cifs share enumeration DOS vulnerability
IDFW: user-group is not deactivated even if IDFW ACL is removed
ASA: ARP Fails for Subinterface Allocated to Multiple Contexts on Gi0/6
ASA fails to set forward address in OSPF route redistrubution
ASA Memory usage in a context rises
CWS: ASA forwards HTTPS packets to CWS tower in wrong sequence
vpn load-balancing configuration exits sub-command menu unexpectedly
ASA may drop all traffic with Hierarchical priority queuing
ASA: Page fault traceback after running show asp table socket
ASA traceback in Thread Name: DATAPATH due to double block free
ASA 5505 SIP packets may have extra padding one egress of 5505
ENH: Need to optimize messages printed on upgrade from 8.2- to 8.3+
ASA Unicorn rewriter memory corruption
ASA traceback when uploading an image using FTP
2048 byte block depletion with Smart-Tunnel Application
ASA Transparent mode doesn't pass DHCP discover message
ASA should allow out-of-order traffic through normalizer for ScanSafe
ASA Tranparent A/A - Replicated MAC addresses not deleted after timeout
ASA failover cluster traceback when replicating the configuration
ASA with ICMP insp. drops replies with 'seq num not matched' code
Case sensitivity check missing for Web Type ACL and Access-group
IPSEC VPN - One crypto ACE mismatch terminates all Phase2 with that peer
ASA Page Fault Traceback in 'vpnfol_thread_msg' Thread
ASA fails to perform KCD SSO when web server listens on non-default port
Acct-stop for VPN session doesn't send out when failover occurred
ASA IGMP receiver-specific filter blocks all multicast receivers
ASA sends RST to both ends when CX policy denies based on destination IP
WEBVPN IE 11: CIFS bookmarks showing with unicode
EIGRP: Auth key with space replicates to Secondary with no space
ASA:Webvpn character encoding instructions unclear
Capture Isakmp w/ match statement cause Standby to reload at replication
ASA: ACL CLI not converting to any4
WEBVPN multiple issues with LMS application
ASA: Phy setting change on member interfaces not seen on port-channel
BPDUs on egress from ASA-SM dropped on backplane
Redundant IFC not Switching Back
ASA TCP Proxy can corrupt data, cause ACK storms and session hangs
ASA tears down SIP signaling conn w/ reason Connection timeout
ASA translates the source address of OSPF hello packets
'Route-Lookup' Behavior Assumed for Twice NAT with Identity Destination
ASA - DHCP Discover Sent out during boot process
ASA reloads on Thread name: idfw_proc
ASA drops DHCP Offer packet in ASP when nat configured with "Any"
ASA reloads due to SSL processing
secondary standby looses his cluster license after upgrade to 8.4.(7.3)
webvpn issue,part of the http request not sent by the client to ASA
ASA not allowing AC IKEv2 Suite-B with default Premium Peer license
SSH: ASA 9.1.3 rare traceback observed during ping command
ASA traceback with Thread Name: IKE Common thread
IKEv1 - Send INVALID_ID_INFO when received P2 ID's not in crypto map
Webvpn: Add permissions attribute to portforwarder jar file
Webvpn: Add permissions attribute to mac smart-tunnel jar
ASA: Auth failures for SNMPv3 polling after unit rejoins cluster
WebVPN: ASA webVPN fails to rewrite dynamic content of pubmed website
ASA:Traceback in Thread Name: DATAPATH-23-2334
Traceback in IKEv2 Daemon with AnyConnect Failure
uauth session considered inactive when inspect icmp is enabled
idle time field is missing in show uauth output
WebVPN configs not synchronized when configured in certain order-v3
Problem configuring QOS priority with user-statistic on same policy-map
IKEv2 leaks embryonic SAs during child SA negotiation with PFS mismatch
Smart-tunnel for windows-Liveconnect exception-JRE 1.7u51
ASA traceback on NAT assert on file nat_conf.c
ASA should not allow interface MTU config greater than 9202/9198
ASA 5500-X: Chassis Serial Number missing in entity MIB
Webvpn: connecting to oracle network SSO returns error
Webvpn: web applications that may refresh a page with "#" fail
HTTP redirect to the VPNLB address using HTTPS fails in 9.1.4/9.0.4.x
Datapath:Observing Deadlock in different DATAPATH threads
Traffic does not hit Twice NAT configured after Static PAT
ASA5585-SSP60 Teardown process is delayed under heavy traffic condition
Traceback on standby ASASM when executing the failover active command
ASA Backup scansafe tower is never polled
ASA: Watchdog traceback in Unicorn Admin Handler with TopN host stats
ASA traceback in Unicorn Admin Handler
ASA: Traceback in pix_flash_config_thread when upgrading with names
ASA - VPN session leak for IKEv2 if L2L sessions land on RA tunnel group
Traceback in Thread: IPsec message handler with rip-tlog_event_allocate
ASA Cluster: Unable to stop captures on CCL in a context
SunRPC GETPORT Reply dropped when two active sessions use same xid
show cluster info goid output needs formatting
Aborted AnyConnect Authentications can cause resource leak
Sourcefire Defense Center not able to be rendered via Clientless SSL VPN
ASA 9.1.3 SNMP Traceback in Thread Name: SNMP
Traceback in Thread Name: ci/console
IKEv2 routes not installed if Dynamic and Static Crypto Map Match
ASA cluster - RSA key size 4096 bits is not replicated cluster members
Assigned IP in show vpn-sessiondb anyconnect is missing.
Windows ICMP based Tarceroute through ASA faling
ASA WebVPN memory leak - blank portal page
capture option to be provided to collect pcap frm node other than master
Ping doesn't work between peer IPs when answer-only is configured
Java rewriting takes too much time
ASA: Traceback in aware_http_server_thread after upgrade
ASA Traceback in DATAPATH-1-1400 with error message shrlock_join_domain
ASA-IC-6GE-SFP-C SFP port doesn't come up
ASA traceback in Thread Name: IKE Daemon: with CX redirect in place.
DAP creates dynamic ACLs even if single ACL selected.
Regex modification within context causes ASA traceback
ASA WebVPN login page XSS vulnerability
ASA 9.1.x should accept RIP V1 updates
ASA traceback when retrieving idfw topn user from slave
XenDeskTop7:cannot relogin to StoreFront ineterface after logoff
Anyconnect: Split-Tunnel dose not work with subnet
AnyConnect Password Management Fails with SMS Passcode
When long line is entered on cli, all chars > 510 silentl y discarded
ASA using IKEv2 rejects multiple NAT_DETECTION_SOURCE_IP payloads
ASA Cluster ICMP with PAT not functional on reload
ASA 5585 cluster indicating SSM card down but no SSM module
Data path: ASA traceback in CTM message handler
ASA IPSec - DNS reply for RA client dropped when LZS compression enabled
L2TP/IPSec connection is failed when there is PAT router.
Hash calculated for multiple ACEs on ASA are same
ASA: Traceback in thread Name: DATAPATH-1-2581
ASA Tears Down Connections With Reason of 'snp_drop_none'
Unable to access webvpn portal when CSD and IE content advisor enabled.
ASA cut a part of credential data during cut-thru proxy authentication
Cisco ASA DHCPv6 Denial of Service Vulnerability
ASA changes to improve CX throughput and prevent unnecessary failovers
ASDM interface graph showing bogus values in S/W and H/W output queue
ASA-SM not sending SNMP traps with 9.0.4
terminal width command is deleted when removing other context
5585-20 traceback in Thread Name Datapath w/ DCERPC inspection
IDM/IME/File Transfer Slow For Certain Source and Destination IP Pairs
Posture assement failing after HS upgrade to 3.1.05152
OSPFv3 route stuck in routing table after failover
MEMLEAK: 128 byte leaks when requesting IPv6 address for AnyConnect
Name for IPv6 address causes objects to became empty after reload
Cisco ASA Information Disclosure Vulnerability
Packet-tracer showing incorrect result for certain NAT configurations
Nameif command not allowed on TFW multimode ASA with clustering
'ASA modifies Request Host Part under 'ACK' packet for SIP connection'
ASA 5505 u-turned/hairpinned conn counts toward license local-host limit
High CPU with IKE daemon Process
ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule
ASA 8.4.6: Traceback with fover_FSM_thread
Saleen copper module port speed/duplex changes ineffective
To the box traffic dropped due to vpn load-balancing (mis)configuration
SNMP: cpmCPUTotal5sec/1min/5min return "0"
VPN client firewall and split-tunneling mishandle "inactive" acl rules
Clientless scrollbar on right hand side of the screen doesn't render
ASA 9.1 DMA Memory exhaustion in 240 binsize
ASA traceback in webvpn datapath
ASA WebVPN Memory leak leading to Blank Portal Page/AnyConnect failure
VPN-filter ACL drops all traffic after upgrade for pre 8.3 to 9.x
IPsec transform sets mode changes from transport to tunnel after editing
CSCub92315 fix is incomplete
Interop: relax PrintableString encoding enforcement in PKI
ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and Telnet
ASA SIP Inspect:'From: header' in the INVITE not NATed for outbound flow
ASA: Traceback in Thread Name: Dispatch Unit when enable debug ppp int
ASA SSLVPN OWA 2007: Unable to attach files >= 1 MB with KCD enabled
Traceback on DATAPATH-7-1524 Generating Botnet Filter Syslog
ASA WebVPN Rewriter: CSCOGet_location Improperly Pulls Full Web Address
Traceback with thread DATAPATH-2-1181
ASA traceback (Page fault) during xlate replication in a failover setup
ASA does not relay BOOTP packets
Multicast - ASA doesn't populate mroutes after failover
ASA: HTTP function failing over WebVPN
WebVPN capture causes conflict with other capture types
ASA IKEv2 "Duplicate entry in tunnel manager" (post 9.1.5)
ASA: Webvpn using incorrect password for auto-signon with Radius/OTP
ASA doesn't send invalid SPI notify for non-existent NAT-T IPSec SA
ASA 9.1.(3)4 Memory Leak in KCD
ASA Rewriter does not support encoded values for characters like " ' "
WebVPN: Javascript rewrite issue with Secret Server Application
ASA 9.x Management Port-Channel Cannot configure management-only in TFW
Firewall may crash while clearing the configuration
Traceback when using IDFW ACL's with VPN VPN Filters
5585-20 9.2.1 Traceback in Thread Name: DATAPATH-1-1567
CIFS drag & drop not working with remote file explorer over webvpn
ASA NAT: Some NAT removed after upgrade from to 9.x
Giaddr to be set to the address of interface facing the client.
ASA allows to empty an access-list referenced elsewhere
ASA - crash in SSL Client compression in low memory conditions
Standby ASA traceback on Fover_Parse with Botnet Filter
show vpn load-balancing shows Public addr as Cluster IP addr for Master
Inconsistencies seen while sending warmstart trap on reload
Failover Standby unit has higher memory utilization
Snmp-server hosts entries are lost when upgrading from 9.1(4) to 9.1(5)
ASA WebVPN: Script error when using port-forwarding
9.0(4)5 - Unable to access internal site via clientless SSLVPN
ASA SSLVPN Java plugins fail through proxy with Connection Exception
L2TP/IPsec fragmentation change causing ICMP-PMTU being sent
show webvpn kcd Error code 2 (ERROR_FILE_NOT_FOUND)
ASA: Webvpn Clientless - certificate authentication fails intermittently
ASA - Traceback in thread name: sch_prompt anonymous reporting
ASA traceback in Thread Name : Checkheaps when snmp config is cleared
IKEv2 DPD is sent at an interval not correlating to the specified value
Jumbo frame calculations are incorrect or hard coded
TCP intercept does not work after embryonic connection ends
ASA Panic: CP Processing - ERROR: shrlock_join_domain
ASA EIGRP does not reset hold time after receiving update
ASA doesn't apply vpn-filter if group policy is assigned by Cisco VSA 25
WebVPN Problem- icons missing, buttons not working
SNMP: Unable to verify presence of second power supply in ASA 5545
Remove Comment in Cookie
ASA: Page fault traceback in DATAPATH when DNS inspection is enabled
ASA - Wrong object-group migration during upgrade from 8.2
ASA - Permitting/blocking traffic based on wrong IPs in ACL
ASA traceback in thread name idfw_adagent
ASA Overwrite any file on WebVPN RAMFS
ASA with ACL optimization crashing in "fover_parse" thread

End-User License Agreement

For information on the end-user license agreement, go to

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at:

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

This document is to be used in conjunction with the documents listed in the “Related Documentation” section.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

©2015 Cisco Systems, Inc. All rights reserved.